04 August 2015

Hey You, Get off My Cloud! Are You Covered if Hackers Penetrate Your Cloud-Based Network?

Data breaches can now be added to the list of life’s inevitable occurrences. It is not a matter of if, but when, a company will be breached. More and more of these breaches result from hackers penetrating the networks of third parties, such as vendors and cloud providers. As more companies put information in the cloud, hackers will continue to target these networks. When addressing this increasing risk, companies should evaluate whether their insurance policies provide coverage for breaches of data that is maintained by a third-party vendor, and if so, what safeguards are required of those vendors to trigger coverage.

Although cyber coverage is a relatively new product, dozens of insurance carriers now offer it (although the amounts of coverage available often are limited). Unlike more established lines of insurance, there is no standard form on which cyber coverage is underwritten. While this lack of standardization requires companies to scrutinize policy language when purchasing cyber coverage, it also provides more room for negotiating the terms of cyber policies than many other types of coverage.

Most garden-variety cyber policies do not expressly provide coverage for acts and omissions by third parties or data in the control of third parties. Some policies expressly exclude coverage related to third party acts or omissions. Where policies are unclear as to whether such coverage is provided, the policyholder should insist on full coverage and not simply accept an insurer’s subjective reading of the policy in question. Where a policy contains an unclear provision that the insurer asserts limits coverage, the policyholder should insist on full coverage. Ambiguous policy language is construed against the insurer, so the insured should not simply accept the insurer’s restrictive reading of unclear language. However, such ambiguities almost certainly will result in the insurer contesting coverage, likely requiring the company to absorb significant costs of litigation in hopes of obtaining a favorable coverage ruling.

There are cyber policies which provide coverage for breaches of data maintained by third parties as long as there is a written agreement between the insured and the vendor to provide such services. Additionally, in instances where coverage is provided for such acts and omissions, that determination may hinge on how the third-party vendors are using the company’s information and what safeguards that vendor has in place to ensure that the company’s data is protected if a breach comes through the cloud.

If an organization relies on any third parties to maintain its confidential subscriber or employee information, it should seek to have coverage expressly provided within the policy, for breaches of data maintained by third parties. Moreover, any self-insured retention language applicable to this coverage should mandate that any payments made by the third party indemnifying the company for loss sustained by the breach count toward satisfaction of the retention.

If you have any questions, please contact the author or another member of the Insurance Policyholder Counseling and Recovery group.